For each enterprise domain you configure, specify the directories
that the authentication provider queries for user information. You
can configure multiple directories for a domain.

Adding directories or custom SPIs

For each enterprise domain you configure, specify the directories
that the authentication provider queries for user information. You
can add a directory to an existing enterprise domain or to a new
enterprise domain that you are adding. You can configure multiple
directories for a domain. You can also configure a domain to use
a custom Service Provider Interface (SPI) for synchronization.

To verify that a connection can be made to the LDAP server,
click Test. If the test fails, review the exception in the Application
Server log file to determine the root cause of the failure. Click
Close and then click Next.

To verify that the base DN and other configured attributes
collect the correct batch of users, click Test. LDAP attempts to
retrieve the first 200 records by using the provided settings (such
as the base DN, search filter, and all attributes).

If users
are returned, the results show the values that are assigned to each
field as per the attribute set. If the test fails because of a non-existent
server name, incorrect authorization information, or incorrect attributes,
the following error message appears: "The search criteria specified
did not return any result". To determine the root cause of the failure,
review the exception in the Application Server log file. Click Close
and then click Next.

To verify that the base DN and other configured attributes
collect the correct batch of groups, click Test. If groups are returned,
the results show the values that are assigned to each field as per
the attribute set. Click Close.

Add a custom SPI

For information about creating a custom SPI, see "Developing
SPIs for AEM forms" in Programming with AEM forms. To make
a newly deployed custom SPI available for association with the domain,
restart the server.

Delete a directory

When you synchronize your domains after deleting a directory,
all users and groups in that directory are marked obsolete in the
database. They will not be returned in any search from Administration
Console.

Directory settings

When you add a directory to a domain, specify the following
directory settings.

Server:

(Mandatory) Fully qualified domain name (FQDN) of the directory server.
For example, for a computer called x on the corp.adobe.com network, the
FQDN is x.corp.adobe.com. An IP address can be
used in place of the FQDN server name.

Port:

(Mandatory) The port that the directory server uses. Typically
389, or 636 if the Secure Sockets Layer (SSL) protocol is used for
sending authentication information over the network.

SSL:

(Mandatory) Specifies whether the directory server uses SSL
when sending data over the network. The default is No. When set
to Yes, the corresponding LDAP server certificate must be trusted
by the Java™ runtime environment (JRE) of
the application server.

Binding

(Mandatory) Specifies how to access the directory.

Anonymous:

No user name or password is required. An anonymous user may be
able to fetch only a limited amount of data. This option may be
useful for initial testing.

User:

Authentication is required. In the Name box, specify the
name of the user record that can access the directory. It is best
to enter the full distinguished name (DN) of the user account,
such as cn=Jane Doe, ou=user, dc=can, dc=com. In
the Password box, specify the associated password. These settings are
required when you select User as the Binding option.

Name:

Name that can be used to connect to the LDAP database when anonymous
access is not enabled. For Active Directory 2003, specify [domain name]\[userid].
For Sun™ One, eDirectory or IBM Tivoli Directory
Server, specify the fully qualified name of the user, such as uid=lcuser,ou=it,o=company.com.

Password:

Password that corresponds with the name you specified to
connect to the LDAP database when anonymous access is not enabled.

Populate Page With:

When selected, populates attributes on the User and Group
settings pages with corresponding default LDAP values.

Retrieve Base DNs:

Retrieves the base DNs and displays them in the drop-down
list. This setting is useful when you have multiple base DNs and
need to select a value.

Enable referral:

This setting is applicable when your organization uses multiple
Active Directory domains organized in a hierarchical structure and
you have specified directory settings for only the parent domain.
In this situation, when you select this option, User Management
can access user and group details from the child domains.

Note: Click Test to verify that a connection can be
made to the LDAP server. To determine the root cause of any failures,
review the exception in the Application Server log file.

User settings

Unique Identifier:

(Mandatory) A unique and constant attribute used to identify
users. Use a non-DN attribute as the unique identifier because a
user’s DN may change if they move to another part of the organization.
This setting depends on the directory server. The value is objectGUID for
Active Directory 2003, nsuniqueID for Sun™ One, and guid for eDirectory.

Note: Ensure that you enter an attribute that is
guaranteed to be unique in your organization. Entering an incorrect
value can cause serious system problems.

Base DN:

Set as the starting point for synchronizing users and groups
from the LDAP hierarchy. It is best to specify a base DN at the
lowest level of the hierarchy that encompasses all users and groups
that need to be synchronized for services.

If you selected
the Enable referral option in the Directory settings, set the Base DN
option to the dc part of the DN. For the referral to work,
the search span must include both parent and child domains.

Note: Do not include the user’s DN in this setting.
To synchronize a particular user, use the Search Filter setting.

Although
Base DN is a mandatory setting in administration console, some directory
servers such as IBM Domino Enterprise Server may require an empty BaseDN.
To specify an empty Base DN, export the config.xml file, edit the
setting in the config.xml file, and then reimport it. (See Importing
and exporting the configuration file.)

Search Filter:

(Mandatory) The search filter to use to find the record that is associated with the user. You can perform a one-level search or a sub-level search. (See Search Filter Syntax or RFC 2254.) Additional information for the Microsoft AD schema, see Active Directory Schema.

Description:

Schema attribute for the description of the user

Full Name:

(Mandatory) Schema attribute for the full name of the user

Login ID:

(Mandatory) Schema attribute for the user’s login ID

Last Name:

(Mandatory) Schema attribute for the user’s last name

Given Name:

(Mandatory) Schema attribute for the user’s first name

Initials:

Schema attribute for the user’s initials

Business Calendar:

Enables you to map a business calendar to a user, based on the
value for this setting (the business calendar key). Business
calendars define business and non-business days. AEM forms can use
business calendars when calculating future dates and times for events
such as reminders, deadlines, and escalations. The way you assign
business calendar keys to users depends on whether you are using
an enterprise, local, or hybrid domain. (See Configuring Business
Calendars.)

If you are using an enterprise domain,
you can map the Business Calendar setting to a field in the LDAP
directory. For example, if each user record in your directory contains
a country field, and you want to assign business calendars
based on the country where the user is located, specify the country field
name as the value for the Business Calendar setting. You can then
map the business calendar keys (the values defined for the country field
in the LDAP directory) to business calendars in forms workflow.

The
amount of space used to display the name of the business calendar
key in the forms workflow pages is limited. Limit the name of the
business calendar key to less than 53 characters to avoid having
it truncated on those pages.

Schema attribute for the name of the organization to which
the user belongs.

Primary Email:

Schema attribute for the primary email address of the user.

Secondary Email:

Schema attribute for the secondary email address of the user.

Telephone:

Schema attribute for the user’s telephone number.

Postal Address:

Schema attribute for the user’s mailing address.

Locale:

Schema attribute that contains the ISO locale information.
The value is a two-letter language code or a language and country
code.

Time Zone:

Schema attribute that contains the time zone where the user
is located. The value is a string such as City/Country.

Enable Virtual List View (VLV) Control:

An LDAP control that enables AEM forms to retrieve data in
batches from the directory server. If you are using Sun One as your
LDAP directory and the directory contains many users, enabling VLV creates
an index that User Management can use when searching users. This feature
is useful when using a normal user account that can synchronize
only a limited amount of data. You can also enable VLV for groups.
If you select Enable Virtual List View (VLV) Control, specify a
name in the Sort Field box.

If you selected Enable Virtual List View (VLV) Control, specify
the attribute name used to sort the index. This attribute name (such
as uid) is the one you specified when you created an index for VLV
on the directory server.

Group settings

Unique Identifier:

(Mandatory) A unique and constant attribute used to identify
groups. Use a non-DN attribute as the unique identifier. This setting depends
on the directory server. The value is objectGUID for
Active Directory 2003, nsuniqueID for Sun One,
and guid for eDirectory.

Note: Ensure
that you enter an attribute that is guaranteed to be unique in your
organization. Entering an incorrect value can cause serious system
problems.

Base DN:

(Mandatory) Base distinguished name of the directory.

Although
Base DN is a mandatory setting in administration console, some directory
servers such as IBM Domino Enterprise Server require an empty BaseDN.
To specify an empty Base DN, export the config.xml file, edit the
setting in the config.xml file, and then reimport it. (See Importing
and exporting the configuration file.)

Search Filter:

(Mandatory) The search filter to use to find the record that
is associated with the group. You can perform a one-level search
or a sub-level search.

Description:

Schema attribute for the description of the group

Full Name:

(Mandatory) Schema attribute for the full name of the group

Member DN:

(Mandatory) Schema attribute for the distinguished name of members
within a group

Member Unique Identifier:

Unique identifier for a user or group that is a member of
the selected group. This value depends on the directory server.
The value is objectSID for AD2003, nsuniqueID for
Sun One, and guid for eDirectory.

If Member
DN is specified with a non-DN attribute, User Management uses Member
Unique Identifier to query LDAP to collect the user’s DN as it corresponds
to a unique identifier value.

If DN is specified as a unique
identifier, you do not need to configure Member Unique Identifier.

Organization:

Schema attribute for the name of the organization to which
the group belongs

An LDAP control that enables AEM forms to retrieve data in
batches from the directory server. If you are using Sun One as your
LDAP directory and the directory contains many groups, enabling VLV
creates an index that User Management can use when searching groups.
This feature is useful when using a normal user account that
can synchronize only a limited amount of data. You can also enable
VLV for users. If you select Enable Virtual List View (VLV) Control,
specify a Sort Field Name.

If you selected Enable Virtual List View (VLV) Control, specify the
attribute name used to sort the index. This attribute name is the
one you specified when you created an index for VLV on the directory
server.

Note: Click Test to verify that the user
and group settings are collected based on the base DN and search
criteria. If users and groups are returned, the results show the values
that are assigned to each field as per the attribute set.

Note: User Management does not support duplicate user
IDs within a domain; only one user with the user ID is synchronized.

Configure User Management to use
Virtual List View (VLV)

Directory synchronization is an important requirement for
User Management. The users and groups are synchronized from an enterprise
directory to the AEM forms database for assigning roles and permissions.
The number of users varies from 100 to 100000+ depending on the
requirements, and it poses an engineering challenge to synchronize
data efficiently.

The LDAP protocol provides a mechanism to query large data sets
in a paginated way by using request controls. When using Microsoft
Active Directory, LDAP to AEM forms database synchronization uses
PagedResultsControl for retrieving data in batches of a particular
size. The Sun ONE Directory Server does not support this control.
To complete a paginated query against the Sun ONE Directory Server,
use the Virtual List View (VLV) control. This control involves both directory
server-side configuration and client-side implementation.

Poznámka:

This section describes using the VLV control
for the Sun ONE Directory Server. However, you can use this control
for any directory server that supports VLV control.

When configuring the directory, select Enable Virtual
List View (VLV) Control on both the User Settings page and the Group
Settings page. When you select the check box, you must also specify
a sort name in the Sort Field box. The default value is uid. (See Adding
directories or custom SPIs or Edit
a directory.)

Use Sun ONE administration console or a command-line script
to create the LDAP VLV entries for users and groups. If you use
a command-line script, you can use the sample users and groups LDIF
files. (See Configuring
the Sun ONE Directory Server for VLV.)

Configuring the Sun ONE Directory
Server for VLV

Creating a VLV requires a pair of entries that include
the vlvSearch and vlvIndex object
classes. The vlvSearch entry includes a search base and the vlvFilter attribute,
which specifies the object class that contains the attributes you
intend to sort. The vlvIndex object class includes
the vlvSort attribute, which specifies one or more
attributes to sort and the order to sort them in. (A minus sign
(-) denotes reverse alphabetical order). Using VLV with AEM forms
requires separate entries for users and groups.

Poznámka:

The Object entries can be created by using the
Sun ONE graphical user interface (GUI) or through a command-line
script. For instructions about creating the Object entries using
the GUI, see the Sun ONE documentation.

The sample script
has an LDAP entry named lcuser. This entry is for
VLV-related configuration for user synchronization in AEM forms.
Modify the following properties accordingly:

Entry name: The
entry name in this sample is lcuser. If lcuser is
changed, it must be changed in all areas of the sample script.

vlvBase: The
Base DN specified on the User Settings page.

vlvFilter: The
Search Filter specified on the User Settings page.

vlvSort: The
Sort Field specified in the VLV settings section of the User Settings
page. A VLV control requires you to specify a sort control. This
field is used as the sort parameter for the vlv index created.

aci: The
access control specified in the sample script grants any authenticated user
the right to access the VLV indexes for read, search, and compare
operations. The administrator can restrict access to a binding user,
which is configured in the Directory Server Settings page specified
in the User Management user interface. If permissions are not given,
user search cannot use the VLV, and the LDAP server throws a permission
exception.

The
vlvindex tool is present in the directory server instance directory.
If the Sun ONE Server has two instances running server1 and server2,
the vlvindex tool is located in Sun ONE server directory\server1
directory. The value for parameter -T is the value
of the cn attribute of the vlvindex entry created previously
in the sample LDIF. In this case, it is lcuser.

If VLV is also enabled for groups, create the corresponding
index for the groups. Verify whether the indexes are created by
running the following command: